CVE-2022-0888
Last modified
CVE-2022-0888 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0. EPSS estimates a 39.39% chance of exploitation in the next 30 days.
Description
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Ninjaforms | Ninja Forms File Uploads | <= 3.3.0 |
References
- https://gist.github.com/Xib3rR4dAr/5f0accbbfdee279c68ed144da9cd8607Exploit, Patch, Third Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0888Third Party Advisory
- https://gist.github.com/Xib3rR4dAr/5f0accbbfdee279c68ed144da9cd8607Exploit, Patch, Third Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0888Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-0888?
How severe is CVE-2022-0888?
How do I fix CVE-2022-0888?
Are you affected by CVE-2022-0888?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST